jq: Fix CVE-2015-8863 and CVE-2016-4074 (#18908)

jq has not had a release since v1.5 in August 2015, so backport both of these patches (the fix for CVE-2015-8863 is in the current master, while the fix for CVE-2016-4074 is not yet in master).
2016-09-25 09:14:52 -04:00 · 2016-09-25 09:14:52 -04:00 · bfbca9dacd
commit bfbca9dacd
parent 7615d6385a
1 changed files with 26 additions and 20 deletions
--- a/pkgs/development/tools/jq/default.nix
+++ b/pkgs/development/tools/jq/default.nix
@ -1,33 +1,39 @@
-{stdenv, fetchurl, oniguruma}:
-let
-  s = # Generated upstream information
-  rec {
-    baseName="jq";
-    version="1.5";
-    name="${baseName}-${version}";
+{ stdenv, lib, fetchurl, fetchpatch, oniguruma }:
+
+stdenv.mkDerivation rec {
+  name = "jq-${version}";
+  version="1.5";
+
+  src = fetchurl {
    url="https://github.com/stedolan/jq/releases/download/jq-1.5/jq-1.5.tar.gz";
    sha256="0g29kyz4ykasdcrb0zmbrp2jqs9kv1wz9swx849i2d1ncknbzln4";
  };
-  buildInputs = [
-    oniguruma
+
+  buildInputs = [ oniguruma ];
+
+  patches = [
+    (fetchpatch {
+      name = "CVE-2015-8863.patch";
+      url = https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd.diff;
+      sha256 = "18bjanzvklfzlzzd690y88725l7iwl4f6wnr429na5pfmircbpvh";
+    })
+    (fetchpatch {
+      name = "CVE-2016-4074.patch";
+      url = https://patch-diff.githubusercontent.com/raw/stedolan/jq/pull/1214.diff;
+      sha256 = "1w8bapnyp56di6p9casbfczfn8258rw0z16grydavdjddfm280l9";
+    })
  ];
-in
-stdenv.mkDerivation {
-  inherit (s) name version;
-  inherit buildInputs;
-  src = fetchurl {
-    inherit (s) url sha256;
-  };
+  patchFlags = [ "-p2" ]; # `src` subdir was introduced after v1.5 was released

  # jq is linked to libjq:
  configureFlags = [
    "LDFLAGS=-Wl,-rpath,\\\${libdir}"
  ];
+
  meta = {
-    inherit (s) version;
    description = ''A lightweight and flexible command-line JSON processor'';
-    license = stdenv.lib.licenses.mit ;
-    maintainers = [stdenv.lib.maintainers.raskin];
-    platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.darwin;
+    license = lib.licenses.mit;
+    maintainers = with lib.maintainers; [ raskin ];
+    platforms = with lib.platforms; linux ++ darwin;
  };
 }